There are some good ideas for hardening WordPress here: http://codex.wordpress.org/Hardening_WordPress
There could be a vulnerability in a plugin — particularly if you don't keep them up to date, but equally it may have been a theme or a vulnerability in the server.